On 24/03/2016 16:11, Eric Mill wrote:
> A less cynical response is that the researcher failed to show what they
> said they showed. So the situation is basically just the same as it was
> before the researcher made their post, except that StartCom has made an
> improvement that adds a server-side check to make sure the email address is
> what was presented.
>
Correction: StartSSL claims the check was always in place, and the
input was allowed because it was *intentionally* allowed to provide
that value, even if the user interface suggested it should have been
typed at an earlier HTML page in the sequence.
> Not that StartCom looks awesome in this situation, it's a dangerous area
> for bugs to be present and could/should mean that they and others apply
> some more scrutiny to their interface -- but I don't think there's any
> reason to assume bad faith in StartCom's response.
As their answer stands, the only issue may be that the user interface
doesn't allow the requester to type in that more secure e-mail address
directly.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.
https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct
+45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded